Red Hat npm Supply Chain Attack: 'Miasma' Shai-Hulud Variant Compromises Developer Packages
security github supply-chain-attack npm red-hat cloud-security devsecops
trending_up Trend: security

Red Hat npm Supply Chain Attack: 'Miasma' Shai-Hulud Variant Compromises Developer Packages

calendar_month June 4, 2026

Summary

Multiple npm packages under the @redhat-cloud-services organization have fallen victim to a severe supply chain attack. Threat actors injected the “Miasma” worm—a variant of the notorious Shai-Hulud malware—designed to steal cloud credentials and environment variables from developer workstations and CI/CD pipelines. This incident highlights the escalating risk of compromised dependencies within established cloud ecosystems.

What happened?

  • Package Compromise: Unknown actors gained access to Red Hat’s publishing workflows, injecting malicious code into several packages within the @redhat-cloud-services scope.
  • Worm Behavior: The “Miasma” malware acts as a worm, spreading through local environments post-installation and actively searching for .env files, AWS credentials, and Kubernetes configurations.
  • Shai-Hulud Variant: Security researchers at Orca Security identified Miasma as a technically advanced evolution of Shai-Hulud, featuring improved exfiltration methods.
  • Affected Platforms: The attacks were independently confirmed by Orca Security, Aikido, StepSecurity, and CyberPress.

Why it matters

Red Hat is a cornerstone of enterprise IT. When packages under a trusted organization like @redhat-cloud-services are compromised, it undermines the fundamental trust in the npm ecosystem. Developers often rely blindly on packages from major cloud providers, making them ideal targets for supply chain attacks. The theft of cloud credentials can lead to massive data breaches and full infrastructure takeovers.

Evidence

Security firms have published detailed analyses of the malicious package versions:

  1. Orca Security: Documented the initial discovery and the technical infection flow.
  2. Aikido & StepSecurity: Confirmed the compromise of specific package names and provided indicators of compromise (IOCs).
  3. CyberPress: Analyzed the impact on cloud-native environments.

Analysis

The use of a Shai-Hulud variant points to professional actors. Unlike simple “typosquatting” attacks, this is a direct supply chain compromise (Account Takeover or CI/CD bypass). The focus on environment variables shows that attackers increasingly understand that the “crown jewels” of modern infrastructure lie in ephemeral configurations and secrets stores.

Practical Takeaways

  • Immediate Audit: Check all projects for the use of @redhat-cloud-services packages.
  • Freeze Versions: Use npm shrinkwrap or package-lock.json to lock down known good versions.
  • Secrets Hygiene: Use IAM roles instead of static keys and never store secrets in plaintext .env files.
  • Pipeline Scanning: Implement tools to detect malicious code in dependencies within your CI/CD pipeline.

Open Questions

  • How exactly were the attackers able to infiltrate Red Hat’s infrastructure?
  • Are there other, yet undiscovered packages containing similar code?
  • Have already stolen credentials been actively used for follow-up attacks?

Sources

  1. Orca Security: Red Hat npm Supply Chain Attack
  2. StepSecurity: Multiple redhat-cloud-services npm Packages compromised
  3. Aikido: Red Hat npm Packages compromised - Credential Stealing Worm
  4. CyberPress: Red Hat Cloud npm Packages Compromised
  5. Phoenix Security: Miasma Red Hat Cloud Services npm Supply Chain Attack